Metasploit is a relatively simple (though occasionally frustrating) penetration-testing tool and a good "free" alternative to the commercial competition. But when Rapid7 acquired Metasploit, I was skeptical on how things would turn out. You know the drill: Acquisitions often end up running a good thing into the ground. However, things are looking pretty good a year later. Rapid7 now has a commercial version of Metasploit dubbed Metasploit...

By submitting your personal information, you agree to receive emails regarding relevant products and special offers from TechTarget and its partners. You also agree that your personal information may be transferred and processed in the United States, and that you have read and agree to the Terms of Use and the Privacy Policy.

Express that promises to accelerate and automate penetration testing.

During installation, you'll be notified how the application is not compatible with common antivirus and firewall applications. True. That alone can help save you hours of headache. However, given the security implications of forgetting that anti-malware and personal firewall software are disabled, you should run Metasploit on a dedicated -- ideally sandboxed -- test machine in the event something goes awry.

Once you have Metasploit Express running, you'll begin to see the value of the commercial security testing tools. Penetration testing is literally point and click. In typical ethical hacking fashion, the Metasploit Express workflow takes you through the following steps:

Discovering hosts and services on your network (via the Discovery process, the NeXpose plug-in or by importing from other scanners such as Nessus and QualysGuard)

Exploiting the vulnerabilities

Collecting information from the exploited host(s)

This exploitation phase is where the true value of such a tool becomes evident. As shown in Figure 1, you can literally tell Metasploit Express which hosts or hosts it must test for vulnerabilities to exploit, and it automates the entire process.

Once a vulnerability is exploited, you can access the system and "collect evidence" including passwords, Secure Shell keys, and other files. With the traditional version of Metasploit, you could take a screenshot of a remote command prompt, add a user account, etc., but that was the extent of your evidence-collection options. Now you can generate various reports to deliver directly to management or customers or complement your overall security assessment report.

Command-line junkies may not appreciate the value of how the Express version's GUI can take the pain out of security testing. However, ease of use can let additional people use such a tool to prove security vulnerabilities. Anything that helps get the attention of management and demonstrates exploitable flaws on critical production systems -- and thus weaknesses in IT processes such as patching, change management and system hardening -- will serve to improve overall information security in the long term.

There is a downside to such ease of use: Practically anyone, including nontechnical people, can use Metasploit Express. A staffer who isn't familiar with ethical hacking methodology and its potential outcomes could unintentionally crash production systems or create back doors that an attacker could subsequently exploit. This is really a management and network administration issue that can be prevented with the proper technical and operational controls, but it's something to think about nonetheless.

It'll be interesting to see how Rapid7's competition -- Core Security Technologies and Immunity -- respond to Metasploit Express in the coming months. Will there be a price war? Price and perceived value are certainly big factors in information security testing. Will the established tools tout even more features? I'm not convinced that you need a lot of bells and whistles to prove a vulnerability, but some people can benefit from additional innovation. Regardless, one thing's for sure: Another player in the penetration testing tool market is great news for all involved.

E-Handbook

E-Handbook

0 comments

E-Mail

Username / Password

Password

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy